I have a syslog running in global zone that receives forwarded messages from another syslog that runs in the zone. Interesting is, that after halting the zone, there is still an ESTABLISHED TCP-connection viewable in the global zone (scrooge-ext is the name of the halted zone):
===
root@scrooge:/[188] # lsof | grep scrooge-ext
syslogp 1276 root 21u IPv4 0xffffffff8dd2fcc0 0t2693 TCP 127.1.0.2:shell->scrooge-ext:32777 (ESTABLISHED)
===

As soon as I kill now the global syslog above the panic occurs.

Interesting is, that if I remove the TCP-connection with tcpdrop before killing the syslog, the panic is not occurring.

This isn't something which we can easily investigate or answer in a forum situation. The crash dump needs to be analysed and further investigation necessary. I'm not finding any bugs based on the stack alone.

occurred in module "<unknown>" due to an illegal access to a user address

The fact that we see module "<unknown>" means that whatever module this is, it's either been modunloaded or swapped out. It's also the reason why we can't decode the module:function in the stack:

From what you've said, this is reproducible. This makes it much easier to instrument debugging to get the data we need to get to root cause.

Assuming you have a Premium contract for either software or the system itself, please raise a software service request to the network group and provide us with an explorer from the global zone and the crashdump(s). One of the network team can then investigate further.